For information about the type of logon, see the Logon Types table below. Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
A user successfully logged on to a computer using explicit credentials while already logged on as a different user. Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network.
The credentials do not traverse the network in plaintext also called cleartext. A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. A user logged on to this computer with network credentials that were stored locally on the computer. A logon process collects identification and authentication information and then uses Local Security Authority services to log on users.
Does that mean that Bob connected to a Windows resource such as a shared folder or that he accessed a Web page on the server? Some logon processes are authentication-protocol specific as shown in the chart below.
These fields identify the DLL that was used to handle the actual authentication of the logon attempt. Together, Logon Process and Authentication Package shown below provide valuable information about where and how a user attempted to log on to the system. This information is important because there are so many ways to access a Windows computer. NT LanManager, used for logon with local account and others.
Kerberos or NTLM, depending on client capability. However, they do provide some information that would otherwise be unavailable. An example of the first part of a logon event is in Error! Reference source not found. When you copy an event, Microsoft also includes an attempt to explain parts of the event and presents the info in XML format. Both network and interactive logons are recorded by event ID The logon type fields shown in the chart below are useful because they help you to identify how the user logged on.
Logon type 2 indicates an interactive logon at the console. Type 3 indicates a network logon. Network i. Unlock i. NetworkCleartext i. NewCredentials e. RemoteInteractive e. CachedInteractive logon with cached domain credentials such as when logging on to a laptop when away from the network. So now you know who logged on and how. Knowing where the user logged on would also be useful; you can use the identified workstation name and IP address to track down that information.
Two other events appear under the Logon subcategory. Logon failures will appear as event ID In earlier Windows versions, several different events were used for failures.
Event ID merges those events and indicates a failure code that will help to identify the reason for the failure.
Microsoft did a good thing by adding the Failure Reason section to Windows Server events. This section provides some of the translation for you, but you can still earn your salt by becoming familiar with all these codes which are shown below. Finally, this subcategory includes event ID A logon was attempted using explicit credentials , which will appear in a variety of situations, such as when RunAs is invoked or when a scheduled task runs.
Ostensibly, the Logoff subcategory should also provide the ability to track the logon session that relates to a logoff event ID If they match, the account is a local account on that system, otherwise a domain account. Of course if logon is initiated from the same computer this information will either be blank or reflect the same local computers.
An account was successfully logged on. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon. The logon type field indicates the kind of logon that occurred. The most common types are 2 interactive and 3 network. The New Logon fields indicate the account for whom the new logon was created, i.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request.
Impersonation Level: Impersonation. Top 10 Windows Security Events to Monitor. Free Tool for Windows Event Collection. Supercharger Free Edition Supercharger's built-in Xpath filters leave the noise behind. Examples of Windows 10 and An account was successfully logged on. Transited services indicate which intermediate services have participated in this logon request. Package name indicates which sub-protocol was used among the NTLM protocols.
Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Win An account was successfully logged on.
0コメント